Now, before you get worried about me getting on zen and existential on you in this post, don’t. Nor am I going back on everything I’ve ever talked about or wrote about with SharePoint Backup/Restore and SharePoint Disaster Recovery. Instead, I’m getting a quick post up here to announce an upcoming webinar that the great folks at Idera have asked me to deliver on the subject of SharePoint Disaster Recovery.

It’s a subject Sean McDonough, who co-authored our two books with me, and I have covered quite a bit already, but I wanted to go in a different direction this time around. A lot of my focus on SharePoint DR in the past has looked at all the things you need to do before a disaster takes place, but this webinar is going to help you start thinking about what you need to do after a disaster to successfully recover your SharePoint environment.

The title of the webinar comes from a phrase I heard someone say back at the last Las Vegas Microsoft SharePoint Conference in 2009, “Backup is not backup. Restore is backup!” (I wish I could remember who it was that said it to me but its a bit of a blur for me, between the information overload and the general Vegas experience) If that sounds a little strange, let me explain. The phrase, one that Sean and I have also inscribed on a lot of books that we’ve signed for giveaways over the years, points out that backing up your SharePoint isn’t enough: those backups don’t mean a thing if you can’t restore them successfully. That emphasis on restore, the idea that you need to be able to put those backups to actual use if you want to get value out of them, is what I’ll be talking about in this webinar.

The best part, thanks to Idera, is that this webinar is free to attend and view. All you have to do is head over to https://www.vconferenceonline.com/event/regeventp.aspx?id=686 and register for it, and you’re all set – assuming you remember to log in and attend the actual event. 🙂 Hopefully I’ll see you on June 20th in the chat room!

Moving on to the fourth item I outlined in my series on Identity in Office 365, let’s talk about something that Microsoft calls “External Access.” Office 365’s External Access feature provides organizations with the ability to allow users external to the organization access to your SharePoint Online site collections without having to provision a User Subscription License (USL, a purchased “seat” that you pay for each month per user) for that external user. Instead, you can provision these external users with one of 50 free Partner Access Licenses (PAL) that Microsoft makes available for a subscription. This is nice for two reasons: 1) because its free(!), and 2) because you don’t have to worry about an external user accidentally being provisioned an Exchange Online inbox when all you want them to do is access SharePoint sites.

There’s a few different things I want to cover with External Access, so let’s start with this: while External Access is very similar to a type of on-premise SharePoint configuration known as an Extranet, it’s important to understand that it is not intended to serve as a full-fledged Extranet. An Extranet is a private platform designed to allow both internal and external users collaborate on shared projects, tasks, documents, and information, which does sound quite a bit like External Access in SharePoint Online. External Access is great because it provides a lot of the things that are hard to implement and configure in an on-premises SharePoint Extranet such as account provisioning and password resets, but Microsoft is smart in not calling it true Extranet-level functionality. (Another reason they do this is that External Access is considered to be a “Feature Preview” right now, which I cover below)

With Extranets you also have the ability to segment your external collaborators out and very tightly control what aspects of your environment they can access; doing things like preventing them from seeing what other users from other organizations you’re collaborating with. You can implement technology that may force them to use certain operating systems or antivirus software in order to connect to your sites, or you can configure specific log in procedures such as two-factor authentication. With SharePoint Online and External Access, none of those things are possible. Those differences are important to keep in mind when considering External Access, it’s a great option for sure but you need to remember that you’re not getting a top to bottom Extranet solution with it.

Another tricky thing with External Access is the kind of account that an external user needs in order to be able to join a SharePoint Online site as an external user. This is one of those areas where Microsoft has made it a bit confusing because of the distinctions they’ve made around account types, but it’s also been confusing because Microsoft has been changing the parameters pretty frequently. In the Office 365 Beta you could join as an external user if you had one of the following types of accounts:

A Live ID from Live.com, Hotmail.com, MSN.com, or another Microsoft website where you can create accounts with Live IDs based in the same domain

An EASI ID (a Live ID you create with your own email address, see my post on EASI IDs for more info)

But when Office 365 hit its production release known as General Availability in the Summer of 2011, you could only grant PALs to other Managed IDs, which was a big drawback given what people had seen in the Beta. Then in the Fall of 2011 Microsoft added support for external users with Live IDs, but not EASI IDs, which was even more confusing (and one of the reasons why I wrote my post on that type of Live ID). Well, as of pretty much today, we’re back to where we started in the Beta and you can now invite external users who have EASI IDs in addition to Managed IDs and Live IDs. This is a big improvement, because it allows your external users to have a familiar, and hopefully consistent, email address that they can use to log in with, reducing confusing and frustration for your users.

Something to keep in mind when planning out how you want to allocate your PALs to external users is that there is a finite amount of them you can use, somewhat… By default each Office 365 subscription comes with the ability to grant up to 50 PALs, which would lead you to believe that’s the maximum you can allocate. But if you read the latest Service Description for SharePoint Online (I recommend that you do that if you want to get an exact picture of how Microsoft defines a given service within SharePoint Online), you’ll find an interesting passage:

“50 PALs are included per tenant. Current “Feature Preview” allows for usage rights of up to 1000 external users without requiring additional PALs. Microsoft reserves the right to charge for additional PALs beyond 50 at the time the next major Office 365 update.”

Pretty encouraging, isn’t it, if you want to have more than 50 users because it’s saying that you can have up to 1,000! But also notice, Microsoft is defining External Access as a “Feature Preview”, which means that they’re still trying to lock in exactly how they want to provide this feature to their users and are essentially turning everyone who takes advantage of it right now into their Beta Testers! And, if you decide to go above that 50 user threshold, there’s a definite chance that they’re going to decide to charge you for those extra users down the road, probably when it exits from the “Feature Preview” stage. Oh, and there’s one other thing, as my friend Dan Usher has found, Office 365 Support doesn’t always know how to increase the number of PALs allocated to your account, so you may have issues trying to add those extra accounts depending on who you talk to in Support.

One final thing, then I’ll wrap this up as its gone far longer than I intended it to. As with everything in Office 365, External Access can tend to differ a bit between the Professional and Small Business SKUs (the “P” class) and the Enterprise SKUs (the “E” class), so you need to watch out for that. So far the biggest difference I’ve seen is in how you enable the feature and provision accounts but there may be other areas to watch out for as well. There are a couple of good walkthroughs online about how to enable External Access, but they all tend to cover how to do it for the E SKUs (Office.com’s Help Site and SharePoint MVP Corey Roth both have good posts on it). This is fine, but it references how you go about accessing Office 365’s version of the SharePoint Central Admin site, which isn’t available for P SKU subscriptions (since they only come with one SharePoint site collection).

In a P SKU subscription for Office 365, External Access is enabled by default, so you can skip over the configuration instructions in those posts and go straight to your SharePoint Team Site. Once in the Team site, click the Site Actions menu and select the Share Site option from the bottom of the menu. From that point on your experience should match what Office.com and Corey instruct you to do, but it can be a bit confusing if you’re trying to get around your Admin site and find the top level sites they talk about since you don’t have them in the P SKUs.

Ok, that’s a wrap. If you’ve got any questions about External Access or want me to cover something in this post a little more closely, just let me know in the comments below. Otherwise, I’m going to work on wrapping up my last post in this series on Identity in Office 365, which will be on Lync Federation. Until then, feel free to try and catch me on Twitter!

I realize its been a while since I started this series on Identity in Office 365, but I’d really like to get back to it and make a point of wrapping it up before I get into too many other topics here on My Central Admin. So this post is going to take a look at another aspect of Identity that was introduced in Office 365: Account Roles. In the previous version of the platform, most commonly referred to as the Business Productivity Online Suite (BPOS), there were only two types of accounts you could create: Administrators and Users. The User role was for normal end user accounts that could be provisioned subscriptions for the services included in BPOS (Exchange Online, SharePoint Online, Lync Online, and/or Live Meeting Services) and the Administrator role was for accounts that could manage aspects of the BPOS service such as provision accounts, purchase licenses, and create shared contacts or SharePoint sites.

Assigning administrative roles to a new user account in Office 365.

The problem with this approach was that the BPOS Administrator role was an all or nothing proposition. A lot of organizations who wanted to limit the Administrator to only being able to manage specific areas of their BPOS environments could not do so because there was no way to change the rights of that type of user. You had to either give an account full administrative rights in a BPOS environment or set the account to be a standard user and not have any administrative rights. Well, that’s changed with Office 365. Microsoft got a lot of feedback about the inflexibility of the Administrator role in BPOS and listened to it by creating five different types of Administrator roles in Office 365, listed below:

Global Administrator

Billing Administrator

Password Administrator

User Management Administrator

Service Support Administrator

Before I cover each of the role types, I do want to mention a few general things that you should keep in mind:

First of all, it is very important to keep track of the account you used to register and provision your new Office 365 subscription. This account is by default granted full administrative rights for the subscription (same as the Global Admin role), and it is also the defined point of contact that Microsoft has for your organization. You should make sure that the information you provide for this account is accurate, and you need to make sure that this account’s details are known by multiple people in your organization so contact can be maintained with Microsoft should the account owner win the lottery and head off for the Bahamas.

It is also important to understand that the roles discussed here pertain to the overall administration and management of the Office 365 platform and not necessarily the various services within it (Exchange Online, SharePoint Online, and Lync Online). This is covered below in the Service Administrator role, but just remember that these roles, other than the Global Admin role, do not directly grant users rights within Office 365’s individual services.

At this time I’m not aware of any limits on the number of users you can assign to a given role within Office 365, but they could exist. I do know that there are some sizing limits around security within SharePoint 2010 (which SharePoint Online is based on), but those are pretty high.

Ok, now let’s look at each of the Office 365 admin roles:

Global Administrator: this is also known as the “Company Administrator” role, and maps to the old Administrator role available in BPOS. Accounts with this role have full control of your organization’s Office 365 subscription. These are the keys to the kingdom, so make sure to hand them out carefully. Now that there are other role types available, you shouldn’t have to give these rights to everyone, so try not to.

Billing Administrator: users with this role can manage anything within your Office 365 subscription that’s going to involve a financial transaction. They can purchase additional licenses, change how payments are made for the Office 365 subscriptions, or purchase additional resources such as SharePoint storage or Exchange Archival services.

Password Administrator: Password Admins have the ability to reset user passwords, manage service requests that have been submitted to Microsoft for assistance (available with Enterprise or “E” SKUs only since Professional or “P” SKU subscriptions cannot submit service requests), and view the Office 365 Service Health information available within the Admin Portal. This is a handy admin role to have, because you can provide Tier 1 support staff with the ability to handle one of the most common support tasks you’ll face with Office 365, password resets, without the risk of giving them access to more complex aspects of the service that they could harm without the proper training or knowledge. It is important to note that these admins can only reset the passwords of normal users and other password admins; they cannot reset the passwords of admins in the other types of roles.

User Management Administrator: In addition to the rights of Password Admins, User Management Admins also have the ability to create user accounts and provision them with Office 365 User Subscription Licenses (USLs) and to create user groups within Office 365. While they can manage normal user accounts and accounts with the Password Admin role, they cannot make changes to accounts with other admin roles (Global or Billing) nor can they reset passwords for those accounts either.

Service Administrator: I think the Service Admin role is interesting, but can also be a little confusing. On one hand, this is an actual role that can be assigned to a user account, but all a user can do within the Office 365 Admin Portal is view user information and manage support tickets (E SKUs only). But on the other , it is necessary to assign this role to a user if you want them to have the ability to manage one or more of the services within Office 365 (Exchange Online, SharePoint Online, and Lync Online), in addition to granting them admin rights within the service itself. It’s important to remember that these services are very directly descended from their equivalent full server platform versions and retain a lot of the security functionality present within those parent platforms. Exchange Online provides much of the same Role Based Account Control (RBAC) settings as Exchange Server 2010 (defined by Exchange Role Groups such as Organization Management, Recipient Management, Help Desk, etc) and SharePoint Online (including SharePoint privilege levels such as Owner, Contributor, and Reader, roles such as Site Collection Administrator, and the use of SharePoint security groups to manage access control lists). So if you want to grant a user some of those granular admin rights within a specific service, you first need to assign them this role in Office 365.

NOTE: there is one other class of admin roles that you may encounter with Office 365, the Delegated Administrator. The Delegated Admin role allows you to grant access to a Microsoft Partner to aid in management of your Office 365 subscription without having to assign a USL (which you pay for) to someone working for that partner to help you. You must have a stated Partner of Record on file with Office 365 to be able to assign the Delegated Admin role, and the users in the role must be affiliated with that Partner. For more information, see http://onlinehelp.microsoft.com/en-us/office365-enterprises/gg243434.aspx.

I’ve been pretty lucky in the last month to be invited to speak at some pretty cool events that have gone down in the Midwest. Last month I made my way up to Detroit to speak at the Detroit Day of Azure about Office 365, and I did a slight variation of a talk I’ve been doing about some of the pros and cons of Office 365. I’ve posted the slides to SlideShare here: http://www.slideshare.net/ferringer/getting-to-know-office365-detroit-day-of-azure-2012. The Day of Azure event was great, my hat’s off to David Giard and his team for putting together a really incredible slate of speakers, and me.

Last week I headed over to Columbus, Ohio for an event that was pretty new to me but was very exciting to be a part of: the 2012 Cloud Intelligence Conference. There’s been several editions of this conference being held throughout the United States so far this year, and not only did I get to be a part of the Columbus stop on the tour, but I got to do two different presentations on Office 365 and its implications for businesses. My first presentation was a slightly tweeked version of the Office 365 intro talk I mentioned above at the Detroit Day of Azure, I’ve gone ahead and posted it to SlideShare as well but if you’ve looked at the Detroit slides you probably don’t need worry about these: http://www.slideshare.net/ferringer/office365-how-the-cloud-makes-it-easy-cloud-intelligence-columbus-2012. My second talk was a new one that I’ve been working on that looks at what I think may be the most compelling use case currently available for the SharePoint Online service in Office 365: extranets. I’ve also posted those slides to SlideShare, you can find them here: http://www.slideshare.net/ferringer/sharepoint-online-as-extranet-hot-or-not.

Now, if you’re here looking for actual blog content beyond links to my presentations, have faith! I’ve given myself an ultimatum of getting a new blog post up this week, I’ve got a huge list of topics I want to cover in the coming months and the best way to ensure that I do that is to write them up 🙂 I’m going to first focus on finishing up my series on Identity in Office 365, and then be turning to a bunch of interesting stuff I’ve come across in the last six months or so.

So keep your eyes peeled and if there’s anything you want me to cover, don’t hestitate to let me know!

As crazy as the last couple of weeks have been, I’ve still been lucky enough to have the opportunity to give a couple of presentations that I really enjoyed, and I wanted to make sure that I passed along links to where I’ve posted the slides from those presentations at SlideShare.

First up is the talk I gave onFeburary 27th, at the 2012 San Francisco stop for SPTechCon on Office 365: How Office 365 Makes IT Easy and Why That’s Difficult. I had an outright blast doing this session, the room was pretty full and the audience was very engaged, which made it a lot of fun and very easy for me. Plus, I got a lot of great questions, which I love because it means that people are interested and engaged. I had a wonderful time at SPTechCon, it really is a top-notch event and definitely something I’d recommend doing if you get the chance.

The other slide deck I want to get shared out is the talk I just gave on March 8th to the IndyNDA .NET Developers User Group: Intro to SharePoint Development for .NET Developers. This topic is definitely a bit of a stretch for me, but I really enjoy trying to stretch myself and tackle new challenges like this. IndyNDA is really a great user group, they pack quite a bit of useful content and assistance into their meetings, so if you’re a developer in the Indianapolis area I’d really recommend attending. I also want to thank my good friend Rob Bogue for really helping me get this presentation into working order, he provided a lot of great insight and feedback to me as I was preparing it.

If you were able to attend either of these presentations, thank you very much for coming and I hope you got something out of them!

Last week I was lucky enough to speak at my local SharePoint user group, SPIN – the SharePoint Users of Indiana, on the topic of SharePoint Online. It was a lot of fun, especially because I got some great questions and we had some great general discussions at the end of the night. It was also a great chance for me to do a new presentation I’d been working on about the challenges and opportunities of designing custom solutions to be deployed to SharePoint Online, which is part of Office 365. SharePoint Online presents a lot of compelling incentives for organizations looking to get up to speed with SharePoint quickly, but there’s also a lot of limitations in the platform and traps you can fall into if you aren’t careful (to me, the biggest trap you can make is assuming that a feature you know is in SharePoint Foundation or SharePoint Server is going to be there in SharePoint Online). The talk is designed to help the audience get to know SharePoint Online better, identify the features and use cases best suited for custom solutions with SharePoint Online, and show them some examples of the gotchas and/or challenges you need to plan for or avoid when designing those solutions.

I know it’s been a while since I’ve been able to get any updates posted here (thankfully thought it wasn’t as long of a drought as its been in the past…), but this time I’ve had a fairly valid reason: I’ve been working on a whitepaper with my good friend and co-author Sean McDonough for Idera Software on new and improved features for Disaster Recovery in SharePoint 2010. The good news is that we’re all done writing it now, and Idera’s been nice enough to publish it for you to download: http://www.idera.com/Action/RegisterWP.aspx?WPID=34

Any ways, please go check it out and let me know what you think. As far as I know it’s free to download from Idera, but you will probably have to log in (and create an account with them if you haven’t already). I know that means that it’s technically not free since you’re giving them your contact info, but if you’re like me you’ve probably already danced that dance in several other places for similar kinds of info, so go for it!

And in case you need some further incentive, here’s a broad outline of some of the content we cover in the whitepaper:

RPO/RTO – if you want to know DR, you’ve got to know these!

PowerShell and SharePoint 2010 DR – PowerShell FTW

Configuration Backups

SQL Server Database Snapshots

Unattached Content Database Recovery

SQL Server Database Mirroring

Search DR Improvements

Read-only Databases Improvements

SharePoint Native Backup/Restore Improvements

Site Recycle Bins

DR Considerations around Service Applications, Remote BLOB Storage, and Business Connectivity Services

If you’re wanting to know more about what’s new in the DR story for SharePoint 2010, this whitepaper is definitely for you. And it makes a great companion Christmas gift to a fresh new copy of the SharePoint 2010 Disaster Recovery Guide!

My final thoughts on the matter: all in all I’m more concerned about the mechanisms (or lack thereof) Microsoft has set up for customers to stay up to speed on the status of their services than the stability of a platform that is still very young, especially one so completely dependent on so many disconnected systems (platforms in multiple data centers across the world, DNS, internet connectivity, power connectivity, etc). I’m not letting them off the hook for the issues, especially if this is a trend rather than growing pains. But in general, I think they need to focus as much as having a single simple, coherent, effective, and LOUD way for customers to know about the status of their service as on its stability. I know there are status pages, as well as things like the Twitter account (which was a good tool, and probably the source I’m going to check first for stuff like this from now on), but the perspective I’ve heard from customers and partners is that the information provided right now is either too hard to find and/or understand, or is not current. This isn’t exactly an easy problem to solve (since email would be the natural mechanism and at the same time one that can easily impacted by an outage), but Microsoft need to tackle it now rather than later.

UPDATE: As I come across additional links on the outage, I’ll try to post them here. Probably won’t provide as much commentary on them, but at the same time I’m looking to provide links that do give something beyond the ones I’ve already listed…

And now the other side of that story, here’s an interesting article from Infoworld.com about what the term “supported” means when it comes to mobile devices on Office 365 and how it impacts users. He makes a very valid, and important, point so I recommend reading it closely (to me, the most important part of understanding Office 365 is being able to speak to what it can’t do as much as what it can, so that you’re better able to be proactive instead of reactive) : http://www.infoworld.com/d/mobile-technology/dont-be-fooled-office-365-basically-useless-mobile-903

A big selling point for Office 365 is all the different ways that it can be integrated with existing IT investments, allowing for hybrid identity management solutions (I’m working on a rundown of all the permutations in this blog, stay tuned 🙂 ), Exchange, and Lync. While all the hybrid options are great, they also lead to a lot of questions and confusion about what they can and can’t do. This is a helpful FAQ breaking down calendaring differs and integrates between Exchange Server 2010 SP1 and Exchange Online: http://social.technet.microsoft.com/wiki/contents/articles/exchange-2010-sp1-and-exchange-online-office-365-calendaring-faq.aspx

I saw this status update on Twitter a few weeks back and for some reason it both caught my attention and amused me. I haven’t checked to see if what she’s saying is correct or not (so take it with a grain of salt), but part of me has to think that Office 365 has arrived as a platform if its starting to attract some of the frustration/attention/vitriol that we see so regularly with SharePoint 😉 : http://twitter.com/#!/kat_woman/statuses/101662902993432577

I’ve said it before, I’ve said it again: I definitely drink the Office 365 Kool-Aid (I think it’s fruit punch if you’re wondering) but I do try to keep an eye on and present the view from the other side of the fence as well, which is why I’ve got this article from Business Insider about 10 reasons to go with Google Apps. Editor’s note: check out the article’s comments for some good opposing viewpoints to consider: http://www.businessinsider.com/10-reasons-for-choosing-google-apps-over-microsoft-office-365-2011-8

Paul Schnakenburg over at 4sysops.com has a very extensive (8 parts!) review of Office 365, which I think is especially useful since he covers content from the perspective of an IT administrator rather than a business user: http://4sysops.com/archives/series/office-365-review/

A few weeks ago Network World hosted a debate on Office 365 versus Google Apps and invited a major player from each product to contribute to the discuss, along with the general Internet community. Now that the dust’s settled on the discussion a bit, seems like a good time to check it out: http://www.networkworld.com/community/tech-debate-office365-apps?t51hb